Lenovo laptops riddled with Superfish STILL on sale

The Lenovo Superfish debacle was the most shocking example of how bad pre-installed software has become. Not only was the software injecting adverts into websites, it was also a massive security threat, making SSL connections potentially insecure. It even led to the Lenovo CEO making an official apology for the instance.

Given the bad press that the company suffered, you’d think that it would be doing everything it could to make sure that customers couldn’t buy models with Superfish installed. Sadly, that’s not the case, as we found out thanks to a reader tip-off.

Find out how to detect and remove Superfish

Our reader had bought a Lenovo Z50-70 laptop from John Lewis on the 14th February, and discovered that Superfish was pre-installed on their computer when Kaspersky Internet Security detected it as ‘Trojan.Multi.CertStor.a’. While this cleaned the software from the computer, it was still shocking that at this point computers could still be bought with Superfish still installed.

To find out which laptops running Superfish were still available, we took a trip to PC World on Tottenham Court Road and John Lewis on Oxford Street in London. We went through all the Lenovo laptops on show and looked for Superfish in the list of installed programs in Programs and Features, as well as for the Superfish trusted root certificate, which makes SSL insecure.

In PC World we found that the 14in Lenovo Flex 2 laptop (£500) was still infected, with the software installed and the root certificate still in place. As the computer was connected to the internet, we tested it using the Superfish vulnerability testing tool and got a warning message. Talking to PC World staff, we were told that there’s a removal tool available from Lenovo, and that the PC World Know How desk would check any Lenovo laptop purchase, removing Superfish before the computer leaves the store.

^We found a Lenovo Flex 2 laptop in PC World, which still had the software installed

Moving on to John Lewis, we found that a Lenovo Z50-70 laptop (the same model as our reader bought) was still infected with the software, with both the root certificate and actual software still installed. Talking to John Lewis staff, we were told that head office hadn’t said anything about Superfish, but the sales assistant we spoke to was knowledgeable and told us that there’s a removal tool available, that updating security software would remove Superfish, and that a better option would be to buy a similarly specified laptop from a different manufacturer.

The offending Lenovo Z50-70 laptop in John Lewis

We got in touch with Lenovo to find out what its position was and how it was dealing with retailers and customers. Rather than provide a dedicated response to our issue, Lenovo simply responded with its open letter, written by Peter Hortensius, CEO. As well as talking about Lenovo’s removal tool, it says, “Microsoft, McAfee and Symantec updated their software to automatically disable and remove this Superfish software. This means users with any of these products active will be automatically protected. We thank them for their quick response.

“Together, these actions mean all new products already in inventory will be protected. Shortly after the system is first powered-on the AV program will initiate a scan and then remove Superfish from the system. For systems which are re-imaged from the backup partition on the HDD Superfish will also be removed in the same manner. For products already in use, Superfish will be removed when their antivirus programs update.”

The Superfish certificate is clearly still installed (click to enlarge)

In other words, Lenovo is relying on third-party tools or customers’ own actions to remove this software from their computers. If a customer doesn’t update their AV software and doesn’t keep up to date with the latest security news, it means that computers are still being sold with this software pre-loaded. Anyone that restores their computer using the factory restore option, will also restore Superfish; Lenovo says that the same tactic as above (waiting for the security software to update) will remove the program. Lenovo is also working on creating clean factory restore partitions.

For the time being, if you’re going to buy a Lenovo laptop you have three choices. First, you can go to store and check if the demo unit is clean. Secondly, you can buy a laptop and leave it up to the security software to detect and remove Superfish, if it’s pre-installed. Thirdly, you can buy any other make of laptop instead. Our guide to the best laptops will help you find the right model.

For those still interested in Lenovo laptops, here’s a list of models, which Lenovo says “Superfish may have appeared on”:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch 
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30